A (t, n) threshold group signature scheme is a generalization of group signature, in which only t... more A (t, n) threshold group signature scheme is a generalization of group signature, in which only t or more members from a given group with n members can represent the group to generate signatures anonymously and the identities of signers of a signature can be revealed in case of dispute later. In this paper, we first present a definition of threshold group signatures, and propose several requirements to evaluate whether a threshold group signature scheme is secure and efficient. Then we investigate the security and efficiency of a threshold group signature scheme proposed by Li, Hwang, Lee and Tsai, and point out eight weaknesses in their scheme. The most serious weakness is that there is a framing attack on their scheme. In this framing attack, once the group private key is controlled, (n − t + 1) colluding group members can forge a valid threshold group signature on any given message, which looks as if it was signed by (t−1) honest group members and one cheating member. At the same time, all these (t − 1) honest members cannot detect this cheating behavior, because they can use the system to generate group signatures normally.
A group signature scheme allows a group member of a given group to sign messages on behalf of the... more A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable fashion. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on the Camenisch-Michels group signature scheme [7, 8], Kim, Lim and Lee proposed the first group signature scheme with a member deletion procedure at ICISC 2000 [15]. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper, we first identify an effective way that allows any verifier to determine whether two valid group signatures are signed by the same group member. Secondly, we find that in their scheme a deleted group member can still update his signing key and then generate valid group signatures after he was deleted from the group. In other words, the Kim-Lim-Lee group signature scheme [15] is linkable and does not support secure group member deletion.
Undeniable signature is an intriguing concept introduced by Chaum and van Antwerpen at Crypto'89.... more Undeniable signature is an intriguing concept introduced by Chaum and van Antwerpen at Crypto'89. In 1999, Lee and Hwang presented two group-oriented undeniable signature schemes with a trusted center. Their schemes are natural generalizations of Chaum's zero knowledge undeniable signature scheme proposed in 1990. However, we find that the Lee-Hwang schemes are insecure. In this paper, we demonstrate five effective attacks on their schemes: four of them are insider universal forgeries, in which one dishonest member (maybe colluding with a verifier) can get a valid signature on any chosen massage, and another attack allows a dishonest member to prevent honest members from generating valid signatures. We also suggest heuristic improvements to overcome some of the problems involved in these attacks.
A non-repudiation protocol enables the fair exchange of an electronic message and an irrefutable ... more A non-repudiation protocol enables the fair exchange of an electronic message and an irrefutable digital receipt between two mistrusting parties over the Internet. That is, at the end of any execution instance of such a protocol, either both parties obtain their expected items or neither party does. In this paper, we first argue that it is really meaningful in practice to exploit generic fair nonrepudiation protocols with transparent off-line trusted third party (TTP). Namely, in those protocols, each involved party could use any secure digital signature algorithm to produce non-repudiation evidences; and the issued evidences are the same regardless of whether the TTP is involved or not. Then, we present such a fair nonrepudiation protocol to overcome some limitations and shortcomings in previous schemes. Technical discussions are provided to show that our protocol is not only secure but also the most efficient solution, compared with existing non-repudiation protocols. In addition, some potential extensions are also pointed out.
A proxy signature scheme allows an entity to delegate his/her signing capability to another entit... more A proxy signature scheme allows an entity to delegate his/her signing capability to another entity in such a way that the latter can sign messages on behalf of the former. Such schemes have been suggested for use in a number of applications, particularly in distributed computing where delegation of rights is quite common. Followed by the first schemes introduced by Mambo, Usuda and Okamoto in 1996, a number of new schemes and improvements have been proposed. In this paper, we present a security analysis of four such schemes newly proposed in [15, 16]. By successfully identifying several interesting forgery attacks, we show that all the four schemes are insecure. Consequently, the fully distributed proxy scheme in [11] is also insecure since it is based on the (insecure) LKK scheme [14, 15]. In addition, we point out the reasons why the security proofs provided in [15] are invalid.
2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 2013
Single Sign-on (SSO) allows users to only log on once and then access different services via auto... more Single Sign-on (SSO) allows users to only log on once and then access different services via automatic authentication by using the same credential. However, most existing SSO schemes do not satisfy security notions or require a high trust level on a trusted third party (TTP), even though SSO has become popular in new distributed systems and computer networks. Motivated by this fact, we formalise a new security model of single sign-on, which not only satisfies strong security notions but also has a low trust level on TTP. We then propose a generic construction of SSO from nominative signatures, and present concrete initialisation. We also provide formal proofs to show that the proposed SSO scheme is secure according to our new formal model, if the underlying nominative signature is secure. We note that this is the first study that investigates the link between SSO and nominative signatures, which also be of an independent interest.
In this paper, we propose a new ID-based blind signature scheme based on bilinear pairings from s... more In this paper, we propose a new ID-based blind signature scheme based on bilinear pairings from scratch (i.e. without using existing ID-based signature schemes, and without using existing computational assumptions). First, the round complexity of our ID-based blind signature scheme is optimal. Namely, each interactive signature generation requires the requesting user and the signer to transmit only one message each. Second, the proposed scheme is provably secure against generic parallel attack without using the ROS assumption. Indeed, the security of the proposed scheme is based on a new formalized assumption called one-more bilinear Diffie-Hellman Inversion (1m-BDHI) assumption.
A group signature scheme allows a group member of a given group to sign messages on behalf of the... more A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable way. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on Song's forward-secure group signature schemes, Zhang, Wu, and Wang proposed a new group signature scheme with forward security at ICICS 2003. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper we present a security analysis to show that their scheme is linkable, untraceable, and forgeable.
Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2012
An optimistic fair exchange (OFE) protocol is an effective tool helping two parties exchange thei... more An optimistic fair exchange (OFE) protocol is an effective tool helping two parties exchange their digital items in an equitable way with assistance of a trusted third party, called arbitrator, who is only required if needed. In previous studies, fair exchange is usually carried out between individual parties. When fair exchange is carried our between two members from distinct groups, anonymity of the signer in a group could be necessary for achieving better privacy. In this paper, we consider optimistic fair exchange of ring signatures (OFERS), i.e. two members from two different groups can exchange their ring signatures in a fair way with ambiguous signers. Each user in these groups has its own public-private key pair and is able to sign a message on behalf of its own group anonymously. We first define the security model of OFFERS in the multiuser setting under adaptive chosen message, chosen-key and chosen public-key attacks. Then, based on verifiable encrypted ring signatures (VERS) we construct a concrete scheme by combining the technologies of ring signatures, public-key encryption and proof of knowledge. Finally, we show that our OFERS solution is provably secure in our security model, and preserving signer-ambiguity of ring signatures. To the best of our knowledge, this is the first (formal) work on this topic.
In a proxy signature scheme, a user delegates his/her signing capability to another user in such ... more In a proxy signature scheme, a user delegates his/her signing capability to another user in such a way that the latter can sign messages on behalf of the former. In this paper, we propose an efficient and secure proxy signature scheme with multiple original signers. Our scheme is suitable for wireless electronic commerce applications, since the overheads of computation and communication are low. As an example, we present an electronic air ticket booking scheme for wireless customers.
PCCC 2005. 24th IEEE International Performance, Computing, and Communications Conference, 2005.
Most of previous research work in key management can only resist passive attacks, such as droppin... more Most of previous research work in key management can only resist passive attacks, such as dropping the certificate request, and are vulnerable under active attacks, such as returning a fake reply to the node requesting the certification service. In this paper, we propose two algorithms to address both security and efficiency issues of certification services in ad hoc networks. Both of the algorithms can resist active attacks. In addition, simulation results show that, compared to the previous works, our second algorithm is not only much faster in a friendly environment, but it also works well in a hostile environment in which existing schemes work poorly. Furthermore, the process of generating partial certificates in our second algorithm is extremely fast. Such advantage is critical in ad hoc networks where by nature the less help a node requests from its neighbors, the higher is the chance of obtaining the help. Consequently, using our second algorithm, a node can easily find enough neighboring nodes which provide the certification service.
After the introduction of designated confirmer signatures (DCS) by Chaum in 1994, considerable re... more After the introduction of designated confirmer signatures (DCS) by Chaum in 1994, considerable researches have been done to build generic schemes from standard digital signatures and construct efficient concrete solutions. In DCS schemes, a signature cannot be verified without the help of either the signer or a semi-trusted third party, called the designated confirmer. If necessary, the confirmer can further convert a DCS into an ordinary signature that is publicly verifiable. However, there is one limit in most existing schemes: the signer is not given the ability to disavow invalid DCS signatures. Motivated by this observation, in this paper we first propose a new variant of DCS model, called designated confirmer signatures with unified verification, in which both the signer and the designated confirmer can run the same protocols to confirm a valid DCS or disavow an invalid signature. Then, we present the first DCS scheme with unified verification and prove its security in the random oracle (RO) model and under a new computational assumption, called Decisional Coefficient Linear (D-co-L) assumption, whose intractability in pairing settings is shown to be equivalent to the well-known Decisional Bilinear Diffie-Hellman (DBDH) assumption. The proposed scheme is constructed by encrypting Boneh, Lynn and Shacham's pairing based short signatures with signed ElGamal encryption. The resulting solution is efficient in both aspects of computation and communication. In addition, we point out that the proposed concept can be generalized by allowing the signer to run different protocols for confirming and disavowing signatures.
This paper introduces a new concept called controllable ring signature which is ring signature wi... more This paper introduces a new concept called controllable ring signature which is ring signature with additional properties as follow. (1) Anonymous identification: by an anonymous identification protocol, the real signer can anonymously prove his authorship of the ring signature to the verifier. And this proof is non-transferable. (2) Linkable signature: the real signer can generate an anonymous signature such that every one can verify whether both this anonymous signature and the ring signature are generated by the same anonymous signer. (3) Convertibility: the real signer can convert a ring signature into an ordinary signature by revealing the secret information about the ring signature. These additional properties can fully ensure the interests of the real signer. Especially, compared with a standard ring signature, a controllable ring signature is more suitable for the classic application of leaking secrets. We construct a controllable ring signature scheme which is provably secure according to the formal definition.
IEEE Transactions on Information Forensics and Security, 2014
Optimistic fair exchange (OFE) is a type of cryptographic protocols aimed at solving the fair exc... more Optimistic fair exchange (OFE) is a type of cryptographic protocols aimed at solving the fair exchange problem over open networks with the help of a third party to settle disputes between exchanging parties. It is well known that a third party is necessary in the realization of a fair exchange protocol. However, a fully trusted third party may not be available over open networks. In this paper, the security of most of the proposed OFE protocols depends on the assumption that the third party is semitrusted in the sense that it may misbehave on its own but does not conspire with either of the main parties. The existing security models of OFE have not taken into account the case where the potentially dishonest third party may collude with a signer in the sense of sharing its secret key with the signer. In this paper, to reduce the trust level of the arbitrator and increase the security of OFE, we propose an enhanced security model that, for the first time, captures this scenario. We also show a separation between the existing model and our enhanced model with a concrete counter example. Finally, we revisit two popular approaches in the construction of OFE protocols, which are based on verifiably encrypted signature and conventional signature plus ring signature, respectively. Our result shows that the conventional signature plus ring signature approach approach remains valid in our enhanced model. However, for schemes based on verifiably encrypted signature, slight modifications are needed to guarantee the security.
In a (t, n) proxy signature scheme, the original signer can delegate his/her signing capability t... more In a (t, n) proxy signature scheme, the original signer can delegate his/her signing capability to n proxy signers such that any t or more proxy singers can sign messages on behalf of the former, but t − 1 or less of them cannot do the same thing. Such schemes have been suggested for use in a number of applications, particularly in distributed computing where delegation of rights is quite common. Based on the RSA cryptosystem, Hwang et al. recently proposed an efficient (t, n) threshold proxy signature scheme. In this paper we identify several security weaknesses in their scheme and show that their scheme is insecure.
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS '11, 2011
As an important cryptographic primitive, designated confirmer signatures are introduced to contro... more As an important cryptographic primitive, designated confirmer signatures are introduced to control the public verifiability of signatures. That is, only the signer or a semi-trusted party, called designated confirmer, can interactively assist a verifier to check the validity of a designated confirmer signature. The central security property of a designated confirmer signature scheme is called invisibility, which requires that even an adaptive adversary cannot determine the validity of an alleged signature without direct cooperation from either the signer or the designated confirmer. However, in the literature researchers have proposed two other related properties, called impersonation and transcript simulatability, though the relations between them are not clear. In this paper, we first explore the relations among these three invisibility related concepts and conclude that invisibility, impersonation and transcript simulatability forms an increasing stronger order. After that, we turn to study the invisibility of two designated confirmer signature schemes recently presented by Zhang et al. and Wei et al. By demonstrating concrete and effective attacks, we show that both of those two scheme fail to meet invisibility, the central security property of designated confirmer signatures.
In resent years, Popescu proposed several group signature schemes based on the Okamoto-Shiraishi ... more In resent years, Popescu proposed several group signature schemes based on the Okamoto-Shiraishi assumption in [8-11], and claimed his schemes are secure. However, this paper demonstrates that these schemes are all insecure by identifying some security flaws. Exploiting these flaws, an attacker without any secret can mount universally forging attacks. That is, anybody (not necessarily a group member) can forge valid group signatures on arbitrary messages of his/her choice.
Signcryption is a new cryptographic primitive that performs signing and encryption simultaneously... more Signcryption is a new cryptographic primitive that performs signing and encryption simultaneously, at a cost significantly lower than that required by the traditional signature-then-encryption approach. In this paper, we present a security analysis of two such schemes: the Huang-Chang convertible signcryption scheme [12], and the Kwak-Moon group signcryption scheme [13]. Our results show that both schemes are insecure. Specifically, the Huang-Chang scheme fails to provide confidentiality, while the Kwak-Moon scheme does not satisfy the properties of unforgeability, coalition-resistance, and traceability.
This paper introduces a new concept called controllable ring signature which is ring signature wi... more This paper introduces a new concept called controllable ring signature which is ring signature with additional properties as follow. (1) Anonymous identification: by an anonymous identification protocol, the real signer can anonymously prove his authorship of the ring signature to the verifier. And this proof is non-transferable. (2) Linkable signature: the real signer can generate an anonymous signature such that every one can verify whether both this anonymous signature and the ring signature are generated by the same anonymous signer. (3) Convertibility: the real signer can convert a ring signature into an ordinary signature by revealing the secret information about the ring signature. These additional properties can fully ensure the interests of the real signer. Especially, compared with a standard ring signature, a controllable ring signature is more suitable for the classic application of leaking secrets. We construct a controllable ring signature scheme which is provably secure according to the formal definition. As an application, we design a E-prosecution scheme based on this controllable ring signature scheme and show its security.
Uploads
Papers by Guilin Wang